Information overload. If you're responsible for maintaining your network's security, you're living with it every day. Logs, alerts, packet captures, and even binary files take time and effort to analyze using text-based tools - and once your analysis is complete, the picture isn't always clear, or timely. And time is of the essence.

Information visualization is a branch of computer science concerned with modeling complex data using interactive images. When applied to network data, these interactive graphics allow administrators to quickly analyze, understand, and respond to emerging threats and vulnerabilities.

Security Data Visualization is a well-researched and richly illustrated introduction to the field. Greg Conti, creator of the network and security visualization tool RUMINT, shows you how to graph and display network data using a variety of tools so that you can understand complex datasets at a glance. And once you've seen what a network attack looks like, you'll have a better understanding of its low-level behavior - like how vulnerabilities are exploited and how worms and viruses propagate.

You'll learn how to use visualizationtechniques to:

Audit your network for vulnerabilities using free visualization tools, such as AfterGlow and RUMINT

See the underlying structure of a text file and explore the faulty security behavior of a Microsoft Word document

Security visualization systems display data in ways that are illuminating to both professionals and amateurs. Once you've finished reading this book, you'll understand how visualization can make your response to security threats faster and more effective

Greg Conti

Greg Conti, an Assistant Professor of Computer Science at the U.S. Military Academy in West Point, N.Y., has been featured in IEEE Security and Privacy magazine, the Communications of the ACM, and IEEE Computer Graphics and Applications magazine. He has spoken at a wide range of academic and hacker conferences, including Black Hat, DEFCON and the Workshop on Visualization for Computer Security (VizSEC). Conti runs the open source security visualization project, RUMINT, http://www.rumint.org/.

To those in the information assurance or network security fields, Security Data Visualization by Greg Conti is a must read title due to the fact that it represents the first significant text to analyze its namesake of its title. For those unfamiliar with the utility of visualization systems, the text provides excellent examples on the graphical presentation of information to aid analysis, and how human intuition can be far more effective than standard machine processing. After establishing the basics early on, the book dives into security applications very quickly. By the end of Chapter 2, Conti has already shown enough so that the reader can see how to find a security vulnerability in the file structure of Microsoft Word documents via visualization techniques. As the book progresses so do the applications covered, which include network traffic visualization, visualization of firewall logs, and a handful of other topics. The work presented is extremely eye-opening, as it really has not gotten much attention outside of research and conferences. Security-minded readers unacquainted with this niche field will find the book impossible to put down.

This title is not without its drawbacks, which unfortunately are numerous. In writing Security Data Visualization, Mr. Conti seems to have lacked a clear opinion regarding the identity of his average reader. From the title, it might seem that this would be an advanced/applied topics book on Computer Security, which would imply an assumed basic knowledge level of the reader. Some chapters seem to make this assumption and waste no time getting to the heart of the matter associated with their chapter titles, whereas others get bogged down with extremely unnecessary levels of detail regarding information that does not belong in a book like this. As an example of several sections of this nature, nearly half of Chapter 3, entitled "Port Scans," is spent explaining TCP/IP and the OSI seven layer model. These are topics that a majority of readers would need as prerequisite knowledge in order even to be interested in a book like this, and this inconsistent scope of information hinders the already short book by wasting pages on topics that do not directly relate to the title. The book also frequently falls victim to favoring 'what' over 'why' in explaining most topics. All too often chapters fail to rationalize design decisions, or why certain visualizations were used in conjunction with specific applications. In writing the first book for this field, it would have been much more beneficial to have the text read more like a tutorial than a proof of concept.

However, the most glaring problem with this book involves deception of the reader. In Chapter 5 "One Night on My ISP", the author introduces a Security Visualization program called RUMINT which is a tool to visualize network packets, and juxtaposes it with heavyweight open-source security tools such as Wireshark and nmap. What is not to be found anywhere in the book other than in an image caption in Chapter 11, and in a few small words on the back cover, is that RUMINT was written by the author and is not a community standard like the programs it is presented alongside. Further investigation into RUMINT at its project website (www.rumint.org), shows it is written in the obsolete Visual Basic 6 language and requires Microsoft Office as well as an expensive 3rd party component called PacketX to be installed in order to compile. Its use of the PacketX library also probably makes RUMINT illegally licensed with the Creative Commons version of the GPL it is published under. In addition, the software has several limitations and is incomplete, being nowhere near the level of maturity that the Wireshark or nmap projects have achieved over the years of community revision. If the author had stated anywhere in the text that he was using his own tool in order to illustrate a concept, all of the above would have been excusable. RUMINT is used throughout the book, and this is not the only example of selective omission in Security Data Visualization. Two chapters that cover firewall log visualization and intrusion detection system log visualization, and were written by his colleague Raffael Marty, who uses these chapters to anonymously promote his own software package called Afterglow. The lack of disclosure regarding the origins of these programs results in a serious loss of trust in the author. Omissions of this nature, especially in a book related to information assurance, are very difficult to forgive.

Despite all of this criticism, Security Data Visualization is a must-have for any computer security professional's bookshelf. The abilities this book will add to your toolkit, such as being able to look at a visualization of your network traffic, and then being able to not only eyeball that you are being portscanned, but identify the specific program the attacker is using is nothing short of incredible. Each page is printed in full color on semi-gloss paper, presenting the wealth of visualizations and diagrams the way they were meant to be seen. Aside from covering most common network security topics in a completely new light, the book constantly reminds the reader of the youth of this niche field and provides ideas and suggestions for future work. With this book Mr. Conti has definitely succeeded in creating a groundbreaking title, and with some revisions and a second edition he almost certainly will succeed in creating a classic.

If you want to get into security visualization and don't know where to start, this is the book for you

By Chris Gates

from Undisclosed

Comments about oreilly Security Data Visualization:

If you want to get into security visualization this is the book for you. This book gives you everything you need to get started in the field. You may be asking yourself why you should care or want to be interested in Security Visualization. In Chapter 1 the author sums it up nicely. "Visualizations make abstract data more coherent...In many cases, visualizations seek to display large amounts of information in a compact but useful way."

Before we get into the review, I'll disclose that I know the author and he gave me a review copy. I don't think this makes it easier for the author to get a good review, in fact, I think it makes it harder because I expect a lot from the author. Its his fault I'm into computer and information security and I have taken courses that he taught, so he had high expectations to meet.

The first three chapters, An Overview of Information Visualization, The Beauty of Binary File Visualization, and Port Scan Visualization give you all the background you need to get started and introduce you to the author's visualization tool, RUMINT. It was interesting to see the difference between nmap and unicornscan and paves the way to create signatures for all types of port scanners based on their default behavior. Chapter 4, Vulnerability Assessment and Exploitation, walks us through analyzing a dataset with an attack using the Metasploit Framework, very interesting and shows us that even with metasploit's built-in IDS evasion, in the end it must create sockets and connections and those can be seen with visualization tools (with the proper tweaking and analysis). I read the sample chapter available (CH 5, One Night on My ISP) before I read the whole book, and it was certainly easier to follow after reading the previous chapters. I think it gives you a good taste of what you can do with security visualization tools and what the book can teach you but can be hard to follow without the background material in the previous chapters. Chapter 6, A Survey of Security Visualization, gives us an overview of how other security researchers are solving security problems with different types of visualization. Chapters 7 (Firewall Log Visualization) & 8 (Intrusion Detection Log Visualization) written by the guest author Raffy Marty uses his tool "AfterGlow" to examine firewall logs and Treemaps to try to organize the volumes of IDS data. Chapter 9, Attacking and Defending Visualization Systems, shows us some sample attacks that attackers could use to thwart security visualization tools. The occlusion and windshield wiper attacks were interesting as well as the idea of using graphical attacks to send images to the analyst. Chapters 10-12, Creating a Security Visualization System, Unexplored Territory & Teaching Yourself, closes out the book with discussions and thoughts on building your own security visualization tools, areas of future research and obviously ways to help teach yourself security visualization.

Some likes and dislikes. I liked that the author regularly points us to background material and extra reading for every section. Each section could pretty much be a book in itself so links to more reading and current research was helpful for the specific areas that peeked my interest. I really liked that the book was in color, I don't see the book being near as effective in black and white. I liked the guest author's take on visualization, it was nice to get a second opinion in the same book and it was extremely nice that they didn't cover the same material like a lot of books that have multiple authors seem to do. Lastly, I liked that the author had created his own tool to do some of the visualization and that its freely available on the tool's site. I was able to get up and running with RUMINT from the material in the book and the how-to on the site.

For dislikes, it would have been nice to have access to some of the scripts mentioned in the book. Hopefully the author will post those on his site. I didn't care for the font of the book, Times New Roman, small times new roman font got a little tiresome of reading after a chapter or two (minor gripe)

Overall, a great book and highly recommended to anyone interested in getting started with security visualization.